Export (0) Print
Expand All

PsSetCreateProcessNotifyRoutine routine

The PsSetCreateProcessNotifyRoutine routine adds a driver-supplied callback routine to, or removes it from, a list of routines to be called whenever a process is created or deleted.

Syntax


NTSTATUS PsSetCreateProcessNotifyRoutine(
  _In_  PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine,
  _In_  BOOLEAN Remove
);

Parameters

NotifyRoutine [in]

Specifies the entry point of a caller-supplied process-creation callback routine.

Remove [in]

Indicates whether the routine specified by NotifyRoutine should be added to or removed from the system's list of notification routines. If FALSE, the specified routine is added to the list. If TRUE, the specified routine is removed from the list.

Return value

PsSetCreateProcessNotifyRoutine can return one of the following:

Return codeDescription
STATUS_SUCCESS

The given NotifyRoutine is now registered with the system.

STATUS_INVALID_PARAMETER

The given NotifyRoutine has already been registered, so this call is a redundant call, or the system has reached its limit for registering process-creation callbacks.

 

Remarks

Highest-level drivers can call PsSetCreateProcessNotifyRoutine to set up their process-creation notify routines, declared as follows:


VOID
(*PCREATE_PROCESS_NOTIFY_ROUTINE) (
    IN HANDLE  ParentId,
    IN HANDLE  ProcessId,
    IN BOOLEAN  Create
    );

The ParentId and ProcessId parameters identify the process, and the Create parameter indicates whether the process was created (TRUE) or deleted (FALSE).

An IFS or highest-level system-profiling driver might register a process-creation callback to track the system-wide creation and deletion of processes against the driver's internal state. For Windows Vista and later versions of Windows, the system can register up to 64 process-creation callbacks.

A driver must remove any callbacks that it registers before it unloads. You can remove the callback by calling PsSetCreateProcessNotify with Remove = TRUE.

After a driver-supplied routine is registered, it is called with Create set to TRUE just after the initial thread is created within the newly created process designated by the input ProcessId handle. The input ParentId handle identifies the parent process of the newly-created process (this is the parent used for priority, affinity, quota, token, and handle inheritance, among others).

A driver's process-notify routine is also called with Create set to FALSE, typically when the last thread within a process has terminated and the process address space is about to be deleted.

The operating system calls the driver's process-notify routine at PASSIVE_LEVEL inside a critical region with normal kernel APCs disabled. When a process is created, the process-notify routine runs in the context of the thread that created the new process. When a process is deleted, the process-notify routine runs in the context of the last thread to exit from the process.

Requirements

Version

Available starting with Windows 2000.

Header

Ntddk.h (include Ntddk.h)

Library

Ntoskrnl.lib

IRQL

PASSIVE_LEVEL

DDI compliance rules

IrqlPsPassive, PowerIrpDDis, HwStorPortProhibitedDDIs

See also

PsGetCurrentProcessId
PsSetCreateProcessNotifyRoutineEx
PsSetCreateThreadNotifyRoutine
PsSetLoadImageNotifyRoutine

 

 

Send comments about this topic to Microsoft

Show:
© 2014 Microsoft